How Do Authenticator Apps Work? (TOTP, Secrets, Clock Drift & Safer Alternatives)

Authenticator apps generate short-lived 6–8 digit codes using TOTP (Time-based One-Time Passwords). Your app and the website share a secret key (seed). Every 30 seconds they both compute the same code from that secret + the current time. If your phone’s clock drifts, codes can fail.

What is an authenticator app?

An authenticator app (Google Authenticator, Microsoft Authenticator, Authy, etc.) is a second factor in multi-factor authentication (MFA). Instead of SMS codes, the app generates codes offline on your device. Most apps implement the TOTP standard (RFC 6238), which is built on HMAC-SHA1/256/512 with a rotating time counter.

Want to see TOTP in action? Try our TOTP Authenticator tool.

Why apps over SMS?

• Works offline once set up
• Independent of your phone number (no SIM-swap risk)
• Faster and usually more reliable than SMS
• Standardized: TOTP is well-understood and widely supported.

For background theory, see our earlier explainer: What is TOTP?

How TOTP actually works (step-by-step)

1. Seed (secret) is provisioned
   When you enable 2FA, the service gives you a base32-encoded secret (the seed). You scan a QR code or paste a key.
2. Both sides compute a moving counter
   Time is split into windows (typically 30 seconds). The counter = current Unix time ÷ step.
3. HMAC the counter with the secret
   The app computes HMAC(secret, counter) using SHA-1/256/512.
4. Dynamic truncation → 6–8 digit code
   A chunk of the HMAC output is converted to an integer and reduced mod 10^digits (e.g., 10^6 → 6 digits).
5. Server verifies
   The server repeats the same calculation. If your code matches within an allowed window (e.g., current ±1 step), you’re in.

Parameters you’ll see:

• digits: usually 6 (sometimes 7 or 8)
• period: usually 30s (can be 60s)
• algorithm: SHA1 (default), SHA256, or SHA512

Seed provisioning: QR codes & otpauth:// URI

When you click “Enable authenticator app” in any supported apps or website, a QR is displayed with an otpauth:// URI. Scanning it imports the seed and settings.

Example otpauth:// URI

otpauth://totp/Example:alice@example.com?
secret=JBSWY3DPEHPK3PXP&
issuer=Example&
period=30&
digits=6&
algorithm=SHA1

After you enable the authenticator app, a recovery code is usually provided, and you should store recovery codes immediately! (see below)

Time drift (clock skew) and why codes sometimes fail

TOTPs depend on the current time. If your phone clock is off, your codes may not match the server’s:

• Small drift: Servers typically allow ±1 time verification window (e.g., ±30s), so minor skew still works.
• Significant drift: Codes fail. Good authenticator apps use network time and auto-correct. If you’re offline, manually sync your device clock.

If you’re building auth, Authgear supports TOTP, recovery codes, and passkeys out of the box—so you can offer strong MFA without the complexity.

Recovery codes

If you lose or wipe your phone, that TOTP seed is gone—so you’ll need recovery codes:

• Treat recovery codes like passwords
• Use each recovery code once; generate a fresh set after use or after changing factors.

Phishing-resistant alternatives: WebAuthn / Passkeys

TOTPs can still be phished: an attacker can proxy your login and relay your one-time code in real time. WebAuthn (passkeys) is different:

• Phishing-resistant: Credentials are bound to the origin (domain), so they won’t authenticate on a fake site.
• Public-key crypto: Your device stores a private key; the server keeps a public key. No shared secrets or codes.
• User verification: Biometrics or device PIN unlock the credential.
• Multi-device sync (platform-dependent) makes recovery easier than with raw

How to use an authenticator app

1. In supported services, go to Security → Two-Factor Authentication.
2. Choose Authenticator app on your device.
3. Scan the QR in your app (or paste the key).
4. Enter the 6-digit code shown in your app to confirm.
5. Download recovery codes and store them safely.

Recommended apps:

• Google Authenticator (iOS/Android) — simple, widely supported, optional cloud backup.
• Microsoft Authenticator (iOS/Android) — great if you use Microsoft accounts; encrypted cloud backup; works for any TOTP site.
• 1Password(iOS/Android/desktop) — password manager with built-in TOTP. Super convenient, but note the trade-off: storing first and second factors together reduces separation of factors—mitigate with a strong master password + 2FA on the vault.
• Apple Passwords — built-in TOTP on iOS/iPadOS/macOS; syncs across Apple devices.

FAQ: How do authenticator apps work?

How do authenticator apps work without the internet?
They compute codes locally from a shared secret + time. Once the seed is on your device, it doesn’t need network access.

Can I move my authenticator to a new phone?
Yes, but you must transfer seeds or re-enrol. Some apps support encrypted backups/sync. Otherwise, use each service’s recovery codes to re-set TOTP on the new device.

Why are my codes “incorrect”?
Most common causes: wrong account, wrong digit length, or clock drift. Ensure 6 digits, 30-second period, and correct device time.

Are authenticator apps safer than SMS?
Yes. They’re not tied to your phone number and resist SIM-swap. However, they are not fully phishing-resistant; WebAuthn / passkeys are.

What’s the difference between TOTP and HOTP?
TOTP changes codes based on time; HOTP is counter-based (code increments per use). Most consumer apps use TOTP.